From df8d456507bc8e351d1163dd8323c003ebe2de88 Mon Sep 17 00:00:00 2001
From: ChengYou Ho <chengyouho@google.com>
Date: Fri, 16 Sep 2022 20:35:56 +0000
Subject: [PATCH 1/4] gsc.mk: install weaver AIDL service

Bug: 246952216
Change-Id: I74531b175d3d88c17bf644800951ca4d61d11fd8
---
 dauntless/gsc.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dauntless/gsc.mk b/dauntless/gsc.mk
index 6770acb..d3fb5e9 100644
--- a/dauntless/gsc.mk
+++ b/dauntless/gsc.mk
@@ -6,6 +6,7 @@ PRODUCT_PACKAGES += \
     citadeld \
     citadel_updater \
     android.hardware.weaver@1.0-service.citadel \
+    android.hardware.weaver-service.citadel \
     android.hardware.authsecret-service.citadel \
     android.hardware.identity@1.0-service.citadel \
     init_citadel \

From f31f736d36f2b0128b6f2f33dec26fb4dc3b2e3c Mon Sep 17 00:00:00 2001
From: ChengYou Ho <chengyouho@google.com>
Date: Fri, 16 Sep 2022 20:36:39 +0000
Subject: [PATCH 2/4] Add weaver AIDL service sepolicy

avc: denied { call } for scontext=u:r:hal_weaver_citadel:s0 tcontext=u:r:citadeld:s0 tclass=binder permissive=1
avc:  denied  { find } for pid=3023 uid=1064 name=android.hardware.citadel.ICitadeld scontext=u:r:hal_weaver_citadel:s0 tcontext=u:object_r:citadeld_service:s0 tclass=service_manager permissive=1
avc: denied { read } for comm="android.hardwar" name="vndbinder" dev="binder" ino=6 scontext=u:r:hal_weaver_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { write } for comm="android.hardwar" name="vndbinder" dev="binder" ino=6 scontext=u:r:hal_weaver_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="android.hardwar" path="/dev/binderfs/vndbinder" dev="binder" ino=6 scontext=u:r:hal_weaver_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for comm="android.hardwar" path="/dev/binderfs/vndbinder" dev="binder" ino=6 ioctlcmd=0x6209 scontext=u:r:hal_weaver_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { map } for comm="android.hardwar" path="/dev/binderfs/vndbinder" dev="binder" ino=6 scontext=u:r:hal_weaver_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1


Bug: 246952216
Change-Id: Id77dc947327a0b9f963fd98bd0143a1b86f646dd
---
 dauntless/sepolicy/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dauntless/sepolicy/file_contexts b/dauntless/sepolicy/file_contexts
index a1d382b..8d59a51 100644
--- a/dauntless/sepolicy/file_contexts
+++ b/dauntless/sepolicy/file_contexts
@@ -3,6 +3,7 @@
 /vendor/bin/hw/init_citadel                                                 u:object_r:init_citadel_exec:s0
 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel        u:object_r:hal_keymint_citadel_exec:s0
 /vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel              u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.weaver-service\.citadel                   u:object_r:hal_weaver_citadel_exec:s0
 /vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel            u:object_r:hal_identity_citadel_exec:s0
 /vendor/bin/hw/android\.hardware\.authsecret-service\.citadel               u:object_r:hal_authsecret_citadel_exec:s0
 /vendor/bin/hw/citadel_updater                                              u:object_r:citadel_updater:s0

From abfb0bafa5d2c1b28fb0f102f8714fb52b90ff1b Mon Sep 17 00:00:00 2001
From: ChengYou Ho <chengyouho@google.com>
Date: Thu, 15 Sep 2022 16:13:00 +0000
Subject: [PATCH 3/4] gsc.mk: install oemlock aidl service

Bug: 240932137
Test: VtsHalOemLockTargetTest
Change-Id: Ib46ddafc41f64858e4db099978b6ba89bfa119b9
---
 dauntless/gsc.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dauntless/gsc.mk b/dauntless/gsc.mk
index 6770acb..fc0278d 100644
--- a/dauntless/gsc.mk
+++ b/dauntless/gsc.mk
@@ -7,6 +7,7 @@ PRODUCT_PACKAGES += \
     citadel_updater \
     android.hardware.weaver@1.0-service.citadel \
     android.hardware.authsecret-service.citadel \
+    android.hardware.oemlock-service.citadel \
     android.hardware.identity@1.0-service.citadel \
     init_citadel \
     android.hardware.strongbox_keystore.xml \

From 141c01ba0c4904b0f8353cb4a85e828c0f3c4774 Mon Sep 17 00:00:00 2001
From: ChengYou Ho <chengyouho@google.com>
Date: Thu, 15 Sep 2022 16:16:08 +0000
Subject: [PATCH 4/4] Add oemlock aidl service sepolicy

1. avc:  denied  { find } for pid=889 uid=1064 name=android.hardware.citadel.ICitadeld scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:object_r:citadeld_service:s0 tclass=service_manager permissive=1
2. avc: denied { read } for name="vndbinder" dev="binder" ino=6 scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
3. avc: denied { write } for name="vndbinder" dev="binder" ino=6 scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
4. avc: denied { open } for path="/dev/binderfs/vndbinder" dev="binder" ino=6 scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
5. avc: denied { ioctl } for path="/dev/binderfs/vndbinder" dev="binder" ino=6 ioctlcmd=0x6209 scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
6. avc: denied { call } for scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:r:vndservicemanager:s0 tclass=binder permissive=1

Bug: 240932137
Change-Id: I804d925e020f6adfe8cd0c34aedead366c99adc0
---
 dauntless/sepolicy/file_contexts          | 1 +
 dauntless/sepolicy/hal_oemlock_citadel.te | 9 +++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 dauntless/sepolicy/hal_oemlock_citadel.te

diff --git a/dauntless/sepolicy/file_contexts b/dauntless/sepolicy/file_contexts
index a1d382b..b8a54d2 100644
--- a/dauntless/sepolicy/file_contexts
+++ b/dauntless/sepolicy/file_contexts
@@ -5,6 +5,7 @@
 /vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel              u:object_r:hal_weaver_citadel_exec:s0
 /vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel            u:object_r:hal_identity_citadel_exec:s0
 /vendor/bin/hw/android\.hardware\.authsecret-service\.citadel               u:object_r:hal_authsecret_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.oemlock-service\.citadel                  u:object_r:hal_oemlock_citadel_exec:s0
 /vendor/bin/hw/citadel_updater                                              u:object_r:citadel_updater:s0
 /vendor/bin/hw/citadeld                                                     u:object_r:citadeld_exec:s0
 
diff --git a/dauntless/sepolicy/hal_oemlock_citadel.te b/dauntless/sepolicy/hal_oemlock_citadel.te
new file mode 100644
index 0000000..d3ff719
--- /dev/null
+++ b/dauntless/sepolicy/hal_oemlock_citadel.te
@@ -0,0 +1,9 @@
+type hal_oemlock_citadel, domain;
+type hal_oemlock_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_oemlock_citadel)
+binder_call(hal_oemlock_citadel, citadeld)
+allow hal_oemlock_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_oemlock_citadel, hal_oemlock)
+init_daemon_domain(hal_oemlock_citadel)